
Workshop Setup (1) 

• Virtual machine 

• VMWare / VirtualBox 

• Ubuntu 10.04+ Live CD ISO 

• Internet connection (NAT/Bridge) 

• Install Ubuntu packages 

• Required packages 

$ sudo apt-get install nasm micro-inetd 

• Optional packages 

$ sudo apt-get install libc6-dbg vim ssh 
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Workshop Setup (2) 

• PEDAtool 

• Download peda.tar.gz at: http://ropshell.c 

• Unpack to home directory 
$ tar zxvf peda.tar.gz 

• Create a “.gdbinit” 

$ echo "source ~/peda/peda.py" » -/.gdbinit 

• Workshop exercises 

• Download bhus12-workshop.tar.gz at: 

http://ropshell.com/peda/ 

• Unpack to home directory 

$ tar zxvf bhusl2-workshop.tar.gz 

Q 

black hat' 

USA SOIB 


3 



Workshop Setup (3) 

• Temporarily disable ASLR 

$ sudo sysctl -w kernel.randomize_va_space=0 

• Allow ptrace processes 

$ sudo sysctl -w kernel.yama.ptrace_scope=0 
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Demo: 

Sample Exploit Development 
session with GDB 
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GDB or not GDB? 


• Standard debugger on *nix 

• Not ExDev oriented 

• Lack of intuitive interface 

• Lack of smart context display 

• Lack of commands for ExDev 

• GDB scripting is weak 

• Python GDB 

• Since GDB 7.0 

• Powerful scripting API (v7.2+) 
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PEDA Introduction 

• Python Exploit Development Assistance for 
GDB 

• Python GDB init script 

• GDB 7.x, Python2.6+ 

• Handy commands for exploit development 

• Self help manual 

• Auto-completion of commands, options 

• Framework for writing custom commands 
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PEDA features 


• Memory operations 

• Debugging helpers 

• Exploit helpers 

• Utilities 
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Exploit Development with PEDA 
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Exploit Development Process 

• Occupy EIP 

• Find the offset(s) 

• Determine the attack vector 

• Build the exploit 

• Test/debug the exploit 
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Occupied EIP, what next? 

• Find the offset(s) 

• Where is my buffer? Any register points to it? 
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Attack vector (1) 

• Any exploit mitigation in place? 

• NX 

• ASLR 

• PIE 

• RELRO 

• CANARY 
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Attack vector(2) 

Find ways to code execution 

• ret2any: return to any executable, known place 

- stack 

- data / heap 

- text 

- library (libc) 

- code chunk (ROP) 

• control input buffer 

- stack pivoting 
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Build the exploit 


• Payload 

• Shellcode 

• ret2any payload 

• Wrapper 

• Exploit skeleton 
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Test and debug the exploit 

• Check for limitation 

• Badchars 

• Buffer size 

• Check for runtime affects 

• Modify/correct the exploit 
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Demo & Practices 


• Buffer overflow exploit 

• Format string exploit 

• PEDA commands explanation and usage 
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Python GDB scripting with PEDA (1) 

• Global instances 

• pedacmd: 

- Interactive commands 

- Return nothing 

- e.g: pedacmd.context_register() 

• peda: 

- Backend functions that interact with GDB 

- Return values 

- e.g: peda.getreg(“eax”) 

• Utilities 

• e.g: to_int(), format_address() 
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Python GDB scripting with PEDA (2) 

• Getting help 

pyhelp peda 
pyhelp hex2str 

• One-liner / interactive uses 

python print peda.get_vmmap() 
python 

> status = peda.get_status() 

> while status == "BREAKPOINT": 

> peda.execute("continue") 

> end 
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Python GDB scripting with PEDA (3) 


• External scripts 

# myscript.py 
def myrun(size): 

argv = cyclicpattern(size) 
peda.execute("set arg %s" % argv) 
peda.execute("run") 


source myscript.py 
python myrun(100) 
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Extending PEDA(1) 

PEDA structure 

• PEDA class 

- Interact with GDB 

- Backend functions 

• PEDACmd class 

- Interactive commands 

• Utilities 

- Config options 

- Common utils 

- External libraries 


Q 

blackhat 



Extending PEDA (2) 

Special functions 

• PEDA.execute() 

• PEDA.execute_redirect() 

• PEDACmd. !s_running() 

• PEDACmd._missing_argument() 

• utils.execute_external_command() 

• utils. reset_cache() 
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Extending PEDA (3) 

Writing new interactive command 

□class PEDACmd): 

□| mycommand(self, *arg): 

B 

First line of docstring is the description of command 
Usage: 

MYNAME argl arg2 

# get the arguments 

(argl, arg2) = normalize_argv(arg, 2) 

# raise exception if missing argument 

□ if not argl: 

self . missing a rgument () 

# check if attached to running process 

= if not self._is_running( ): 

return 

# use PEDA backend functions 

pid = peda.getpidO 

# generate output 

msgC'My command: %d" % pid) 
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Future plan 


• More platforms 

• ARM support 

• Integration 

• IDA 

• Available python libs (libheap, libformat, etc) 

• CERT's exploitable 
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Thank you! 
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